Accounts

February272014

Our Comrade, The Electron (Maciej Ceglowski) — a walk through the life of the inventor of the Theremin, with a pointed rant about how we came to build the surveillance state for the state. One of the best conference talks ever, and I was in the audience for it!

go.cd — continuous deployment and delivery automation tool from Thoughtworks, nothing to do with the Go programming language. The name is difficult to search for, so naturally we needed the added confusion of two projects sharing the name. Continuous deployment is an important part of devops (“the job of our programmers is not to write code, it is to deploy working code into production”—who said this? I’ve lost the reference already).

Apple iBeacon Developer Programme — info locked up behind registration. Sign an NDA to get the specs, free to use the name. Interesting because iBeacon and other Bluetooth LE implementations are promising steps to building a network of things. (via Beekn)

February262014

Editor's note: Despite the lip service given to adopting the principle of transparency in Internet governance, there are no official procedures that government agencies must follow when requesting user data and content deletion from Internet service and content providers. In 2013, the Hong Kong Police Force made 7,462 requests for user data under the pretext of “crime investigation”, yet the process was not monitored by any judicial bodies. Worst still, government officials refused to review the existing practice when confronted by a legislative council member.

The report below was originally written by Michelle Fong and published on inmediahk.net in Chinese on February 19, 2014. It was translated into English by Alpha Au.

The Head of Hong Kong Police Force is watching you. Image from inmediahk.net's Facebook page.

Among all of Hong Kong's government agencies, the police force made the most user data requests and the Department of Health made the most content deletion requests to Internet service and content providers (ISPs and OSPs) last year. This information was revealed when Legislative Councillor Charles Mok demanded that the government disclose the information to the public on February 19, 2014.

It was found that the Hong Kong government submitted 7,462 requests in 2013, involving 6,099 Internet users. Only some of the requests made by the Hong Kong Police Force obtained court orders, but the government refused to reveal the exact number of cases that involved court orders.

Godfrey Leung, the Secretary of the Commerce and Economic Development Bureau, openly refused to review the existing information request system and rejected the idea of publishing a transparency report for the public regarding government requests made to ISPs and OSPs. Disappointed by Godfrey Leung's response, Charles Mok said, “If the government refuses to release a regular annual report, I will file the same set of questions every year in the Legislative Council.”

During the council meeting on February 19, 2014, Mok asked the government to reveal the number of government requests made to ISPs and websites and services related to user data and content deletion. According to the government document, between February 2013 and February 2014, the Hong Kong government made 5,507 requests for user data, which involved 5,541 Internet users.

More than 82 percent of the total requests – 4,557 requests – came from the Hong Kong Police Force. They claimed that the requests were made “to prevent and detect high technology and Internet crime” as they were handling 5,212 cases of high technology crime in the same period. However, only a portion of the requests was made under court order, and not all the requests were acceded to by service providers. The government provided no further details on the exact number of court orders and request rejections.

The Customs and Excise Department came in second with 873 user data requests made to “prevent and detect crime”. It is worth noting that 70 requests were made by the Office of Communications Authority, a department that is responsible for Internet governance. They asked for the email registrant's real name, address, phone number as well as the registration date and status, message sent records and related IP addresses, claiming that the information was needed for “investigating unsolicited electronic messages”, i.e. spam. The 70 requests involved 106 users, again without any court order. All the requests made by these two departments were approved. Other user data requests came from the Inland Revenue Department and Companies Registry.

A total of 1,955 content deletion requests were made from six government departments, involving 558 Internet users. The Drug Office and the Chinese Medicine Division from the Department of Health demanded the deletion of 1,321 and 210 content items respectively, accounting for 80 percent of the total number of content deletion requests. The reason was “suspected auction or sale of unregistered proprietary Chinese medicines”. All their requests were approved. The Customs and Excise Department also asked OSPs to delete 391 content items, including webpages, user accounts and hyperlinks, to “combat of intellectual property infringement offense”.

Last year, Mok also asked the Hong Kong government to disclose the data of requests made to ISPs and OSPs between February 2010 to the February 2013. Over those three years, the government had made more than 14,000 user data requests and 7000 content deletion requests.

Currently, there is no guideline for government departments for filing user data and content deletion requests, and most ISPs and OSPs do not issue transparency reports that inform the public on government monitoring and surveillance activities.

Chicago PD’s Using Big Data to Justify Racial Profiling (Cory Doctorow) — The CPD refuses to share the names of the people on its secret watchlist, nor will it disclose the algorithm that put it there. [...] Asserting that you’re doing science but you can’t explain how you’re doing it is a nonsense on its face. Spot on.

Cloudwash (BERG) — very good mockup of how and why your washing machine might be connected to the net and bound to your mobile phone. No face on it, though. They’re losing their touch.

What’s Left of Nokia to Bet on Internet of Things (MIT Technology Review) — With the devices division gone, the Advanced Technologies business will cut licensing deals and perform advanced R&D with partners, with around 600 people around the globe, mainly in Silicon Valley and Finland. Hopefully will not devolve into being a patent troll. [...] “We are now talking about the idea of a programmable world. [...] If you believe in such a vision, as I do, then a lot of our technological assets will help in the future evolution of this world: global connectivity, our expertise in radio connectivity, materials, imaging and sensing technologies.”

February252014

“Your generation is blessed. Everybody has a phone now, internet is accessible everywhere, satellite TV is available in almost every home. What more do you need?”

This was thrown at me by a middle-aged Jordanian taxi driver who took me from the Amman airport to the Arab Bloggers Meeting last month. I was trying to share with him my frustration about the situation of freedom of expression in the Arab world.

Three years earlier, I may have agreed with the man’s comment. Today it seems to encapsulate almost all that is wrong with the way some of us still think about how technology can change things.

It’s true that communications technology has revolutionized the way we learn about the news or the way we spread ideas –or even the way we relate to each other. Three years back, it even seemed that it had finally succeeded in cracking the wall of censorship and fear that plagued the Arab region for decades. Social media platforms, blogs and the increasing availability of smart phones allowed a generation of citizen journalists to report and inform, while activists could mobilize and organize at a level not seen in the region for decades.

It seemed that people no longer had to worry about censorship and government control over the media. We were the media.

A lot of us believed that the mere access to modern means of communications had acted as the catalyst that allowed the sweeping wave of protests to continue, gather pace and arguably succeed. Today, not many of us are ready to make that unblinking assumption.

New challenges

The challenges faced by bloggers in the Middle East and North Africa have shifted substantially ever since.

(By blogger, I don’t only mean a person keeping a blog, but rather anyone using the Internet for political or civic engagement.)

Since our last Arab bloggers meeting in Tunis in 2011, at least two major changes have occurred:

For one thing, bloggers are no longer expected to be “mere” commentators. From simple observers to active participants, a lot of them had to adapt to a new, more complex political reality where a lot more is demanded of them.

This called for a whole set of new skills and resources that those most active, most influential or those who agitated for the revolution didn’t necessarily have in store. They are looked at for answers, ideas, actions in so many more areas and ways than they used to be. And in a bitterly polarized region where things are moving so fast and so much is happening every day, the task can seem crushing — almost paralyzing.

I know that this has caused many around me to question their role. I also know that it’s been cause for frustration about the lack of resources pro-democracy activists generally have access to. Some of us just couldn't cope and gave up trying. Some even stopped being active online.

Secondly, the nature of the threats against freedom of expression online has equally shifted: Prior to the revolutions, governments in the region seemed resigned to the idea that Internet filtering was the primary way to stifle free expression on the web.

But now they seem to have learned a new lesson: Censorship may be cheap and efficient, but it is relatively easy to expose. Surveillance on the other hand is more subtle and much harder to identify

Over the last three years, electronic surveillance and interception technology have very much become the name of the game. A multi-billion dollar market has sprung up and many governments in the region seem happy to cash in. Today, with very few exceptions, many of those governments spend huge sums of money on expensive, state-of-the-art electronic surveillance and interception technology, most of it developed by western private companies.

Take the case of my country, Morocco, for example:

In 2012, the country purchased a two million USD program called Project Popcorn, developed by French company Amesys. It is said to be able to intercept and monitor all sorts of communications at a country-wide scale.

The same year, a Moroccan online activist group was visited by “Da Vinci”, a sophisticated virus worth half a million US dollars and developed by a Milan-based company, revealingly named Hacking Team. It is said to be able to compromise any operating system, take control of specifically targeted computers and communicate keystroke records and private files to a distant server.

For all we know, this is only the tip of the iceberg.

Similar instances were flagged in places like Bahrain, the United Arab Emirates, Syria, Egypt. And the list is growing.

As a result, while censorship remains a major weapon against free speech in the region, electronic surveillance, with its chilling effect on free speech, is becoming a serious threat.

It’s no surprise that three years after the start of the Arab revolutions, the situation of online freedom of expression in the region seems almost as bleak as it did before 2011.

Planting the seeds for a better future

How are we coping with the new reality? Are there any new and creative forms of online activism that have succeeded in the last three years and that we can learn from?

How can we ultimately play an effective role in improving the internet freedom situation in our countries? And to what extent can we rely on technology to protect us online?

These are but some of the questions that participants at the fourth Arab Bloggers Meeting (#AB14) set out to answer.

For four days, the meeting (co-organized by Global Voices Advocacy and the Heinrich Böll Foundation) brought together 70 bloggers, activists, artists, and trainers came from all over the world, including from 16 Arab countries. Participants, like myself, were full of questions and keen to share their stories and skills while also anxious to learn from their peers.

Perhaps the most important lesson I left with is the idea that despite our broader access to modern means of communication in the region today, they seem to only work at the periphery and not necessarily as a major factor for change as a lot of us seemed to think three years back.

There’s a need to find ways to connect and combine online activity with the “offline” efforts of people who traditionally work to effect change in the real world. And that process seems to work towards change only when technology succeeds in mobilizing and organizing a broader and diverse sector of society.

Arab bloggers today are fighting a tough fight —an asymmetrical warfare, where it is no longer a question of access to technology alone, but also a larger, more fundamental question of user rights, of how technology is governed and whether it’s free from government interference.

The ominous feeling that someone may be looking over our shoulders makes it difficult, even for the most daring among us, to operate freely.

But this is not a lost battle. We may not be so blessed of a generation after all, but I feel like AB14, by bringing us together, has succeeded in planting the seeds for a better future.

February182014

Several people have reported that police and National Guard officers are seizing the mobile phones of protesters and detainees in Venezuela. As Venezuela reaches its fifteenth day of protests in the streets, protesters believe police are reviewing their personal information, erasing pictures and video of the protests and sending messages to their families and friends. José Vicente Haro, a Venezuelan lawyer and law professor working to defend the detained students, tweeted:

Detainees in CICPC have been taken away their cell phones [by the police] and [they] said they will return them on Monday. They are reviewing the information on their phones.

Since last week there have been reports that policemen are using the students’ cellphones to send prank messages to their friends and family. Eduardo Lischinsky, a student who has been participating in the demonstrations, said:

Journalist @JPBIERIL and @perezvaler17 were detained and the GN took their cell phones. Watch out @espaciopublico @ipysvenezuela

After talking with relatives of the detained, journalist LuisCarlos Díaz posited that the police and National Guard were not only holding the phones to make jokes, but also to erase photos, videos, and other evidence of protests:

Another repressive measure in Venezuela is taking away the phones of detained to erase pictures, videos and review personal information.

Amid the protests and with censored media, Venezuelans have turned to the Internet to share photos, video and information on the demonstrations and their subsequent repression. Protesters in the Chacao district of Caracas streamed video of one of the most violent area protests, which had been viewed by 230,225 people as of February 18.

February142014

This Valentine's card featuring a poem about love in the Post-Snowden era was published in order to draw attention to the importance of secure communication. The text was written by netizen skylark1848, the design and illustration of the poem is the work of artist Xpectro.

Love in the Time of Code Era

With you I am not alone
this transfer protocol is falling prey
to various ARP attacks
they've launched in the name of security.

My full address list was cached
in my DN/A/S.
The one I was longing to share only with you.

They have obtained it. Flush.

It's been a year you first whispered in my ear that PGP is of no use anymore. We are no XMPPtions so, sweetheart, have you received my message? What does the server know?

And now, perhaps https protects my message but not my identity. This is not a secure chat room built from decentralised bricks of bits coming from tunnels rooted all over the world. Lanterns signaling the nodes are lit by cables taped along the pathways by ever-recording hands.

They have created this channel for you and I. They are watching us while
we are falling for each other over a pixellated video conversation. The connection lags, and you log off and on.

Our keys are corrupted. Everything you know about me has to be erased. Format your brain and write all over the drive. Fill your disk space with random floating numbers.

February132014

The SIM cards of over two million Zambian mobile phone users were deactivated last week, according to the Zambia Information and Communication Technology Authority. After spending several months pushing subscribers to register their SIMs, the regulatory body now says that those who did not meet the January 31 deadline have had their SIMs deactivated.

Most people in Zambia, a country with a population of just over 13 million, own up to three SIM cards, one for each telecommunications service provider. Zambians also use them to access mobile Internet services.

In a statement released shortly after the close of registration ZICTA announced that out of a subscriber base of 9,462,504, “a total number of 8,235,991 SIM cards have been registered while 2,215,376 have been deactivated.”

Apart from cutting off services to subscribers who failed to register their cards, ZICTA also threatened to punish any of the three mobile phone service providers MTN, CellZ and Airtel in the same statement, stating:

As is the case in any process of this magnitude [SIM card registration], some level of margin of error is expected and accepted. Any Service provider found to have mistakes within the margin of error will be requested to re-run their system. However, for any Service Provider whose errors shall be above the accepted threshold will be punished by Law.

The SIM registration process did not go over without problems. Some people who had registered at the beginning of the exercise, four months prior to the deadline, discovered last month that they were not on the final list of registered subscribers. Others had their numbers under different names and even the wrong gender.

Former Vice President Brigadier-General Godfrey Miyanda, a leader of the now-opposition Heritage Party and a vocal critic of SIM registration policy, had one of his SIM cards registered without his knowledge. The phone company later apologised.

Gen. Miyanda is among some subscribers who have threatened to take ZICTA to court for allegedly threatening their rights and freedoms pertaining to privacy, property ownership and communication. On the last day of registration, Gen. Miyanda, in what he referred to as his last post, wrote:

Fellow internet partners and the Social Media family, I wish to inform you that the Zambia Information and Communication Technology Authority (ZICTA) have reminded me that by midnight this day they will cut me off from civilisation by arbitrarily deactivating my SIM cards without just cause. I have NOT committed any crime, neither is there a credible record of the prevalence and/or abuse of these communications gadgets to justify any derogation from the said guaranteed rights.

Gen Miyanda, who had written several statements on this issue, continued:

By this single act ZICTA is attaching the condition that before I can enjoy my guaranteed freedom of expression I should first apply to the Authority or their agents to be registered. By the same token ZICTA are infringing my right to privacy and other proprietary [rights]. I contend that these freedoms and liberties cannot be taken away arbitrarily or traded for a few minutes of airtime. My communications to ZICTA and the Mobile Service Providers have remained unanswered. This means that by midnight I shall not be able to communicate or use my purchased implements for such communication. In short until this issue is resolved I shall be off air, including off the internet. This is my Last Post for now.

A journalist and mobile phone subscriber who has threatened class action against ZICTA complained that local media had not covered his anti-SIM card registration fight. Kasebamashila Kaseba alleged that the media was compromised by the regulatory body which sponsored various media activities including awards and working breakfasts. He stated:

As we close and review the public and media debates, to open the court process, in view of ZICTA deadline of Friday, 31st January, 2014 for SIM card deactivation, I wish to say and may elaborate later that we may not seek an “injunction” or “judicial review” as the matter is outside the law or SI 65 of 2011. Instead, the “class action” as already mentioned elsewhere may include action against some public media houses that benefited from the ZICTA SIM card registration […] campaign of deactivation and may include “citizen’s arrest.”

A week ago, the Web We Want initiative challenged artists everywhere to produce cartoons on the topic of NSA surveillance, in support of #TheDayWeFightBack. We received more than 70 submissions from all over the world, and today we’re announcing the winners, as judged by the Web We Want team. All submissions can be viewed on our Flickr photo stream here.

In first place, receiving a $1000 prize, is Francisco Javier “Frankiano” Cardozo Baudry. He is just 17 years old, a true digital native from Asunción, Paraguay. His contribution “Do Not Fear, I care about you” (above) shows how surveillance is invading each and every moment in the daily life of a young person these days. The PDF of this multi-frame cartoon can be downloaded here. We will ask him to make editable versions available so activists all over the world can easily translate, adapt and use his amazing material.

Anti-surveillance cartoon by Carlos Latuff via Flickr (CC BY 4.0)

Second place goes to cartoonist Carlos Latuff from Brazil, who produced a piece (right) representing a single national leader monitoring the communications of the entire world. Third place goes to American cartoonist Jimmy Margulies, whose work highlighted wiretapping of foreign leaders.

A video (below) submitted by digital rights group Red PaTodos in Colombia deserves an honorary mention and we encourage them to upload it in a collaborative platform such as DotSub, including its script, so others can translate and add subtitles to it. It neatly explains current threats and challenges to online privacy.

The cartoons produced by activists and artists from different countries and contexts show a common pattern: They acknowledge the invasion of their private space, private life and daily activities by those in power. Intelligence agencies are pictured as dark forces by many of the authors and US President Obama is the main character in several submissions. The computer was not shown as the sole method of surveillance – there were also submissions related to telephone surveillance and CCTV cameras, parents spying on children, the military spying on users, physical surveillance and also the role of private corporations that use data collection and consumers habits as business models. One explained in simple terms what the NSA is currently doing, while others show how we interact and watch via our devices.

All the cartoons are licensed under a Creative Commons Attribution Share Alike 4.0 License which will allow each and every activist, journalist, school teacher and creative around the world to use them, adapt them, modify them and remix them, keeping the content open.

The Web We Want promotes and defends the protection of personal user information and the right to communicate in private. Expect more soon!

February122014

“If you have nothing to hide, why not let someone film in your bedroom and bathroom?” asks Jérémie Zimmermann, from French digital rights group La Quadrature du Net, in a song where he partners with La Parisienne Libérée who blogs [fr] on Mediapart.

In this catchy song, the two explain what is at stake for privacy with the global surveillance enforced by NSA from our personal data scooped and transferred by Facebook, Google and other platforms. Zimmerman says:

To tell yourself — oh I have nothing to feel guilty about and therefore I have nothing to hide — is totally disconnected from reality in which generalised surveillance by the NSA works on the principle of three degrees of separation. If you've been in contact with someone, who has been in contact with someone who has a — perhaps long-lost — brother, a guy with a beard who is suspected of terrorist activities, then potentially all your email correspondence, your online presence, your phone calls, your SMS, all that, is spied upon by the NSA.

February112014

The Chinese government has launched a massive crackdown on prostitution in Dongguan, a well-known sex industry hub in southern China.

In addition to a news feature on China Central Television about the corruption of the sex industry in Dongguan, the official Sina Weibo published an eight-hour population in-flow and out-flow map of Donguan city, which has been interpreted as the escape path of “prostitutes” and “prostitution clients” during the crackdown. Generated by Baidu Qianxi with data from Baidu map, the map indicated that most people fleeing the crackdown “escaped” to Hong Kong.

Baidu's 8-hour population flow map during the crackdown on prostitution in Dongguan city was released through Sina Weibo official account. Image via Apple Daily.

Originally, Baidu Qianxi was designed as a visualization tool that could map population flows during the Chinese Lunar New Year. But as Luo Changping at Letscorp pointed out [zh], the fact that Baidu Qianxi was able to appropriate the data surrounding the prostitution crackdown suggests that authorities are using mass surveillance to track these patterns, rather than only targeting criminal suspects, and thereby violating the personal privacy of untold numbers of citizens.

Some technology bloggers such as Lui Xuewen noted that the so-called “escape route” shown on the map was highly misleading as there were other reasons behind the population flow. In fact, in an ordinary day, population flow between the two cities can even be higher as many factories in Dongguan are owned by people from Hong Kong.

The use of geolocation tracking technology in this crackdown by the party propaganda authority indicates to the public that the police authority, through Baidu and other mobile application developers, is capable of tracking mobile phones and thus the real identity of individuals, as nearly all mobile numbers are linked with the owner's identity card. In reaction to this threat, many Hong Kong netizens said that they planned to shut down their mobile when traveling in China.

On Twitter, many Brazilians are linking the day of action with the country's pioneer bill of rights for Internet users, the “Marco Civil da Internet” (Civil Framework for the Internet), which will be brought to the floor in a plenary session [pt] in the House of Representatives today. A group of civil society organizations is expected to meet the Minister of Justice [pt] to voice “serious concerns” regarding the latest modifications to the bill, especially with respect to “the right to the inviolability and secrecy of the flow and content of private communications, the right to privacy and freedom of expression.”

“Censorship doesn't matter, surveillance is the real problem.” This was the subject of a panel at the 4th Arab Bloggers Meeting held in Amman, in January 2014 – it was one of the most exciting panels I have ever been on. I argued against this proposition, countering that censorship does matter and will continue to matter because it violates our fundamental right to free speech. But I also noted that surveillance violates another fundamental human right – the right to privacy.

Throughout my years as a journalist, media researcher and activist, I have seen many colleagues envision a dichotomy between privacy and free speech. But this can often lead to a dead end. These values can and should often co-exist without the need for one to cancel out the other. But occasionally these rights can come into conflict with one another.

Privacy and free speech are merely two of many other universal human rights, which also include the right to education, right to security, right to peace, right to religious practice, etc.

A typical example is the sensationalist news stories where paparazzi abuse their right to speech by publishing nude photos of politicians in their own bedrooms. In this case, the right of privacy is violated by the exercise of free speech. Similarly, it could be argued that the right of free speech has been trumped by the protection of privacy (and security) as demonstrated by the hiding of key information about the NSA surveillance program – information considered a state secret for its alleged role in protecting national security.

But most frequently I find that surveillance ends up becoming a form of censorship. When CCTV cameras are used to monitor user online activities at Internet cafes, users may censor themselves just to ensure they don’t get in trouble. This breach of their privacy stands in direct violation of their right to speak freely.

To me, nothing was more devastating than having the right to express my views taken away from me. It happened when my website YemenPortal.net was censored by the Yemeni authorities in 2008. It was an awful feeling of deprivation of one of my basic rights. I knew that I was only one of millions in Yemen and the Arab world whose right to free speech have been violated through censorship.

For those living in Western societies where free speech is protected with constitutional guarantees that largely prevent laws abridging free speech, censorship is not that common and so surveillance may be a priority. But for us in the Arab world, I believe we are still struggling to have our voices heard. I cannot accept the idea that the fight has now moved to the area of surveillance and away from free speech. While this may be the case where censorship is limited or non-existent, it is certainly not applicable to many countries living under authoritarian rule.

Privacy and free speech are merely two of many other universal human rights, which also include the right to education, right to security, right to peace, right to religious freedom. If we look back in history, we find that most of the time, the right to free speech preceded the right to privacy. As social animals, humans have depended on their need to communicate and open up to each other to survive and prosper. While the urge to communicate and exchange thoughts has been with us for an awfully long time, the need to have privacy is relatively new. But indeed, it has become increasingly accepted with the growth in populations.

It is unnatural for someone to prefer being in total privacy over being able to speak freely. The notion that free speech is not important as long as privacy is protected is unjustifiable. After all, in a prison cell somewhere in a deserted area, I have all the privacy I need, but I cannot reach the world to say what I want. We were born free with a desire to speak out freely to express our grievances, needs and desires.

The importance of privacy for both Arab activists and citizens alike ought to be recognized. However, protecting privacy using a purely technologically-driven approach through the use of anonymizing tools such as Tor is not enough. Technology will not solve a problem so entrenched and complex such as surveillance and a technologically deterministic stance in that respect is not helpful – after all, in Arab countries (and many other parts of the world) surveillance is as prevalent in real life as it is online.

Protecting free speech and privacy requires more than microprocessors – it requires humans willing to rise up and change government policies, practices, misguided cultural beliefs, and other more deeply-rooted problems. One should take a more comprehensive approach where free speech and privacy –along with the other fundamental rights – need to be addressed, without comprising one for the other. I know that only by recognizing the complexity of the problem can we rise to the occasion and solve it.

The revelations surrounding the surveillance practices of the NSA and other Western government intelligence agencies may have made 2013 the year the Internet lost its innocence within democratic states. But this state of perpetual, pervasive surveillance has long been part of everyday life within the Islamic Republic of Iran. While security and privacy concerns have recently become a mainstream concern in the Western world, Iranians have long known the risks of sharing information through communications technologies.

Shunood, the term most often used for surveillance in Farsi, comes from the word shenidan, which means to listen. Relatedly, surveillance within Iran is commonly associated with the wiretapping of phones — a common practice within Iran since the introduction of the technology to the country. In July 2013, the outspoken Parliamentarian Ali Motahari discovered his office had been bugged with recording devices — many suspected the devices were installed by Iran’s previous hard-line Minister of Intelligence. In recent years, advances in communication technologies have changed the state’s surveillance apparatus. From data mining and eavesdropping through the ultra pervasive Deep Packet Inspection (DPI) method, to control over meta-data collected by telecommunication companies, and physical wiretapping (which is the most popular method inside Iran), researchers have identified various digital surveillance methods.

During and after the Green Movement of 2009, security researcher Chris Parsons found strong evidence suggesting that sophisticated surveillance technologies such as DPI were used by the government during this period. Tebyan Zanjan, an Iranian website covering ICT news, has reported on different methods of government data collection, from DPI to telephone wiretapping, further illustrating the government’s surveillance capabilities.

In sum, it is common knowledge among Iranians that if the state can, it will spy on its citizens.

Two important legal standards exist for surveillance practices. Both call for due process in instances when the state engages in surveillance. Article 25 of the Constitution indicates:

The inspection of letters and the failure to deliver them, the recording and disclosure of telephone conversations, the disclosure of telegraphic and telex communications, censorship, or the willful failure to transmit them, eavesdropping, and all forms of covert investigation are forbidden, except as provided by law.

At the same time, Article 104 of Iran’s Criminal Code of Procedure for Public and Revolutionary Courts states:

In cases where there is a need to inspect and detect mailing, telecom, audio and visual correspondences related to the accused, in connection with investigation of a crime, the judge will inform the respective officers to confiscate [these materials] and send them to him or her. Once they are received, they will be presented to the accused, noted in the minutes, and attached to the file after being signed by the accused. Refusal of the accused to sign will be noted in the minutes and in case the items are not of relative importance, and if the confiscation is not necessary, they will be returned to the owner obtaining an acknowledgment of receipt.

While laws exist to protect the privacy of individuals, there is a dissonance between the laws and practices of the state. These protections are often lost between the many different authorities who administer these practices within a complex, larger government apparatus, with various Ministries and organizations of different branches involved. The central entity involved in mass data collection from communications technology is the Telecommunications Company of Iran (TCI), or Mokhaberat in Farsi. This organization falls under the jurisdiction of the Ministry of Information Communication Technology (ICT), but maintains private shareholders. While there are conflicting reports concerning the precise nature of the influence of Iran’s Revolutionary Guards over the TCI, it is widely known that they own the greatest shares of the TCI, placing this body in the hands of an entity accountable only to the Supreme Leader. Although often difficult to prove, many experts suspect these shareholders are associated with elements within Iran’s Revolutionary Guards and Basij (IGRC).

The Ministry of Intelligence, the IGRC, FETA (Iran’s Cyber Police), Ministry of Defense, Ministry ICT, the Passive Defense Organization (PDO), and the Supreme Council for Cyberspace (SCC) are all involved in the country’s surveillance regime, but they are often accountable to different authorities and represent different motivations and ideologies, ranging from hard-line elements in the opposition to reformist or moderate influences within the elite.

On February 11, when the world takes a stand for privacy rights in the wake of Edward Snowden’s NSA leaks, we should not forget the practices that have always existed, and continue to prosecute and imprison Iranians. While we stand up against countries like the United States, Canada, and the UK for their violations of our privacy rights, ASL19 urges the world not to forget the circumstances in a country that does not require revelations to reveal the unjust state of privacy and human rights.

February032014

How In-App Purchases Has Destroyed the Games Industry — fantastic before-and-after of a game, showing how it’s hollowed out for in-app-purchase upsell. the problem is that all the future generations of gamers are going to experience this as the default. They are going to grow up in a world, in which people actually think this is what gaming is like. That social engineering and scamming people is an acceptable way of doing business.

January212014

On Being a Senior Engineer (Etsy) — Mature engineers know that no matter how complete, elegant, or superior their designs are, it won’t matter if no one wants to work alongside them because they are assholes.

Control Theory (Coursera) — Learn about how to make mobile robots move in effective, safe, predictable, and collaborative ways using modern control theory. (via DIY Drones)

US Moves Towards Open Access (WaPo) — Congress passed a budget that will make about half of taxpayer-funded research available to the public.

NHS Patient Data Available for Companies to Buy (The Guardian) — Once live, organisations such as university research departments – but also insurers and drug companies – will be able to apply to the new Health and Social Care Information Centre (HSCIC) to gain access to the database, called care.data. If an application is approved then firms will have to pay to extract this information, which will be scrubbed of some personal identifiers but not enough to make the information completely anonymous – a process known as “pseudonymisation”. Recipe for disaster as it has been repeatedly shown that it’s easy to identify individuals, given enough scrubbed data. Can’t see why the NHS just doesn’t make it an app in Facebook. “Nat’s Prostate status: it’s complicated.”

January142014

The Russian Federal Protective Service (FSO) is asking software developers to design a system that automatically monitors the country’s news and social media, producing reports that study netizens’ political attitudes. The state is prepared to pay nearly one million dollars over two years to the company that wins the state tender, applications for which were due January 9, 2014. Though the FSO’s RuNet-monitoring contract has been online [ru] at the government’s official Procurement Portal, www.zakupki.gov.ru, since December 18, 2013, news of the project broke only today, January 10, 2014, when the newspaper Izvestia published an article [ru] about it.

Izvestia’s coverage of the story bears all the hallmarks of Kremlin-friendly reportage, sandwiching comments by one critic of the FSO between two supporters of monitoring the Internet. Indeed, Izvestia quotes Maxim Kononenko, a pro-Putin RuNet guru, as its lone opponent of the FSO. (Kononenko doesn’t actually oppose the project, but only argues that the FSB, rather than the FSO, should oversee such work.) Journalist Sultan Suleimanov tweeted the following joke about Izvestia’s apparent integrity:

When it must, Izvestia works as a true propaganda machine. See how, for the blogosphere monitoring story, they went for “criticism” to Kononenko.

Anton Nossik, another titan of the Russian Internet and an extremely popular blogger, agrees that Izvestia’s article played the role of propaganda, but he sees it as distraction rather than promotion. According to Nossik [ru], the FSO’s grand monitoring system is nothing more than a cheap scheme to siphon money from the state budget, charging millions of rubles for software that simply googles publicly available content. More importantly, Nossik discovered that the FSO hired a company to design an identical project [ru] in September last year, when the price tag was far smaller, at just over US$200,000.

Anton Nossik, 21 February 2007, public domain.

One week after the FSO launched a second auction for a new round of Internet monitoring, an entrepreneur named Lana Istomina [ru] lodged a complaint with the Federal Antimonopoly Service, objecting to terms in the FSO’s 75-page contract [ru] that specify the need to use one of four preselected media-monitoring software tools (Glass, Medialogia, Prism, or Medialogia-BAZZ). According to Istomina, the FSO’s refusal to accept bids built on equivalent tools represents a violation of Russian antitrust law.

Nossik argues that Istomina’s complaint was her way of disrupting a redundant tender clearly designed to waste a million dollars on a system that the government already bought:

The whole point of the tender was to pay out state money for a second time for the same thing they’d already bought last year. Now, the entrepreneur Lara Istomina can’t write that because she can’t prove it. But this scheme hardly shines as novel or revolutionary. We see the same thing from year to year. Announce a tender for the creation of an already-existing product—it’s an easy and convenient way to spend some quick government cash on a reasonable pretext.

Nossik believes that the officials responsible for arranging the tender also planted in Izvestia the “grand nationwide horror story” of FSO censorship, in order to divert attention away from their crime. Nossik’s theory is familiar in the Russian media sphere, where any major news event produces a range of skeptics who are inclined to view the story as plot to manipulate public opinion and pursue private gains. (For instance, after Ivan Okhlobystin’s homophobic letter to Vladimir Putin earlier this week, political analyst Stanislav Belkovsky produced an interpretation [ru] of the stunt that mirrors Nossik’s tone, calling Okhlobystin’s letter a “PR move” with ulterior motives.)

Because it’s so common on the Russian Internet, Nossik’s skepticism about the FSO’s monitoring project would be easy to dismiss. That, however, could be a mistake. The fact that the FSO already operates an identical monitoring project, the steep rise in the cost of this already-completed and automated work, and the presence of Ms. Istomina’s antitrust complaint—it all lends credence to Nossik’s suspicions.

In other words, Russian bloggers now screaming bloody murder about state censors may be ignoring the real bad guys, petty crooks that they are.

January132014

Edward Snowden supporters rally in Hong Kong. Photo by Voice of America. Released to public domain.

Written by Michelle Fong and translated by Sharon Loh, the original version of this article was published on inmediahk.net in Chinese.

Many new media initiatives, both commercial and citizen, have blossomed in Hong Kong over the past two years. These newly founded online media outlets have strong potential to transform not only the professional media sector, but also political processes in Hong Kong, as grassroots voices gain more attention both from the public and from political leaders. Below is an incomplete list:

Burgeoning New Media Initiatives

Hong Kong Dash – a collective blog operated by student activists, established after the anti-national education campaign in Hong Kong in 2012

The House News – a commercial news portal, following the Huffington news model, curating news and offering commentaries to readers

Pentoy – the online version of local newspaper, Mingpao, commentary page

Urban Diarist – an online magazine to record oral history in Hong Kong, sponsored by an architecture firm as a corporate social responsibility project

Post 852 – a newly launched “breaking views” platform formed by a group of media workers who collectively resigned from a local newspaper, Hong Kong Economic Journal

Hong Kong SOW – a social enterprise with an online platform that showcases the practice of “solutions” journalism. The social enterprise was founded by Vincent Wong, director of Strategic Planning of HK Commercial Broadcasting.

Some groups are also making use of Facebook pages to distribute topical news:

United Social Press: a page run by social activists, reporting and distributing news related to local social movements.

Online news outlets sidelined by government

With the new media sector is clearly increasing in strength and numbers, the Hong Kong government has been unable to keep up with the changing landscape. Many independent media projects have faced limitations on their work, particularly when seeking to cover government events — obtaining press passes has been a constant challenge.

Last year, citizen news portal inmediahk.net's contributing reporters were kicked out of several press events by government civil servants. These included the second public forum on population policy and the 2013 summit on district administration. In another incident, Home Affairs Department staff barred House News reporters from entering a public consultation where HK mayor Leung Chun-ying was present. The staff claimed that the venue had limited space and was only open to the mainstream media. The Information Service Department, an authority responsible for handling government press conferences and news releases, has routinely refused to send press invitations to online news outlets as they are not recognized as proper media institutions.

In response to this out-dated approach, Hong Kong In-Media, an independent and citizen media advocacy group affiliated with inmediahk.net, issued several statements demanding that the Information Service Department review its policies with an eye towards the changing media landscape, and to place particular attention on the definitions of the terms “media” and “news organization”. The agency has thus far refused to make any changes to its terms.

Technological innovation has resulted in the introduction of new media forms, from newspaper to radio and TV to the Internet — now an essential part of people's everyday lives. If we were to define the notion of “mainstream media” based on audience, many online news outlets would have out-numbered print media such as the pro-Beijing newspapers Wen Wei Po and Tai Kung Pao. It is backward and ridiculous for the government to limit its definition of “media” merely to printed media.

Malicious hacking a persistent threat

Although government restrictions are a substantial barrier for these new groups, online media's biggest enemy is hackers. Last year, a number of online news platforms weathered malicious hacker attacks. Inmediahk.net suffered Distributed Denial of Service (DDoS) attacks in May 2013, with a large number of HTTP requests coming from China. A few months later, in September, The House News became the next DDoS attack victim. Amnesty International Hong Kong‘s website was hacked around the same time. The hackers replaced some images on the sites with pornographic photos. SocREC, a social movement documentary video team had its Youtube account stolen in October. Hackers deleted over one thousand videos published under their account.

Internet freedom and privacy in HK and around the world

Government plans to pass the controversial Copyright (Amendment) Bill failed in 2012. To address public concern over the potential criminalization of parody, the government put forward a public consultation on the exemption of legal liability for parody in the Copyright (Amendment) Bill in October 2013. So far, major copyright holders and concerned citizens are divided in their opinions on the issue. But civil society has managed to put together a counter proposal calling for the exemption of legal liability on all non-profit user generated content.

Last but not least, the most significant event of 2013 concerning Internet freedom was the series of documents leaked by Edward Snowden that revealed the massive online surveillance practices of the US National Security Agency. As Hong Kong was the first stop in Snowden's escape route, Hong Kong In-Media quickly assumed a coordinator role in the organization of local support including producing a public statement and organizing a rally to condemn US spying activities.

Building public awareness about online privacy
Last August, the Journalism and Media Studies Centre of The Hong Kong University and Google Inc. worked together to launch the Hong Kong Transparency Report. The report showed that between 2010 to 2013, various government departments had made more than ten thousand requests for users’ personal data and more than seven thousand content deletion requests to local Internet service providers (ISPs) without a court order. A majority of the requests, 86 percent, came from the Hong Kong Police.

The Chief Executive's political reform package, slated to include universal suffrage in Hong Kong beginning in 2017, will be announced in 2014. As civil society prepares to exercise mass civil actions and independent press coverage to promote a fair candidate nomination process, conventional mainstream media are facing substantial political pressure to censor and tailor their content. In the coming years, we believe Internet-based independent and citizen media will play a crucial role in the democratization process.

January082014

I’m sure it was a Wired editor, and not the author Steven Levy, who assigned the title “How the NSA Almost Killed the Internet” to yesterday’s fine article about the pressures on large social networking sites. Whoever chose the title, it’s justifiably grandiose because to many people, yes, companies such as Facebook and Google constitute what they know as the Internet. (The article also discusses threats to divide the Internet infrastructure into national segments, which I’ll touch on later.)

So my question today is: How did we get such industry concentration? Why is a network famously based on distributed processing, routing, and peer connections characterized now by a few choke points that the NSA can skim at its leisure?
I commented as far back as 2006 that industry concentration makes surveillance easier. I pointed out then that the NSA could elicit a level of cooperation (and secrecy) from the likes of Verizon and AT&T that it would never get in the US of the 1990s, where Internet service was provided by thousands of mom-and-pop operations like Brett Glass’s wireless service in Laramie, Wyoming. Things are even more concentrated now, in services if not infrastructure.

Having lived through the Boston Marathon bombing, I understand what the NSA claims to be fighting, and I am willing to seek some compromise between their needs for spooking and the protections of the Fourth Amendment to the US Constitution. But as many people have pointed out, the dangers of centralized data storage go beyond the NSA. Bruce Schneier just published a pretty comprehensive look at how weak privacy leads to a weakened society. Others jeer that if social networking companies weren’t forced to give governments data, they’d be doing just as much snooping on their own to raise the click rates on advertising. And perhaps our more precious, closely held data — personal health information — is constantly subject to a marketplace for data mining.

Let’s look at the elements that make up the various layers of hardware and software we refer to casually as the Internet. How does centralization and decentralization work for each?

Internet routing within the US has gotten more concentrated over the years. There were always different “tiers” of providers, who all did basically the same thing but at inequitable prices. Small providers always complained about the fees extracted by Tier 1 networks. A Tier 1 network can transmit its own traffic nearly anywhere it needs to go for just the cost of equipment, electricity, etc., while extracting profit from smaller networks that need its transport. So concentration in the routing industry is a classic economy of scale.

International routers, of the type targeted by the NSA and many US governments, are even more concentrated. African and Latin American ISPs historically complained about having to go through US or European routers even if the traffic just came back to their same continent. (See, for instance, section IV of this research paper.) This raised the costs of Internet use in developing countries.

The reliance of developing countries on outside routers stems from another simple economic truth: there are more routers in affluent countries for the same reason there are more shopping malls or hospitals in affluent countries. Foreigners who have trespassed US laws can be caught if they dare to visit a shopping mall or hospital in the US. By the same token, their traffic can be grabbed by the NSA as it travels to a router in the US, or one of the other countries where the NSA has established a foothold. It doesn’t help that the most common method of choosing routes, the Border Gateway Protocol (BGP), is a very old Internet standard with no concept of built-in security.

The solution is economic: more international routers to offload traffic from the MAE-Wests and MAE-Easts of the world. While opposing suggestions to “balkanize” the Internet, we can applaud efforts to increase connectivity through more routers and peering.

IaaS cloud computing

Centralization has taken place at another level of the Internet: storage and computing. Data is theoretically safe from intruders in the cloud so long as encryption is used both in storage and during transmission — but of course, the NSA thought of that problem long ago, just as they thought of everything. So use encryption, but don’t depend on it.

Movement to the cloud is irreversible, so the question to ask is how free and decentralized the cloud can be. Private networks can be built on virtualization solutions such as the proprietary VMware and Azure or the open source OpenStack and Eucalyptus. The more providers there are, the harder it will be to do massive data collection.

SaaS cloud computing

The biggest change — what I might even term the biggest distortion — in the Internet over the past couple decades has been the centralization of content. Ironically, more and more content is being produced by individuals and small Internet users, but it is stored on commercial services, where it forms a tempting target for corporate advertisers and malicious intruders alike. Some people have seriously suggested that we treat the major Internet providers as public utilities (which would make them pretty big white elephants to unload when the next big thing comes along).

This was not technologically inevitable. Attempts at peer-to-peer social networking go back to the late 1990s with Jabber (now the widely used XMPP standard), which promised a distributed version of the leading Internet communications medium of the time: instant messaging. Diaspora more recently revived the idea in the context of Facebook-style social networking.

These services allow many independent people to maintain servers, offering the service in question to clients while connecting where necessary. Such an architecture could improve overall reliability because the failure of an individual server would be noticed only by people trying to communicate with it. The architecture would also be pretty snoop-proof, too.

Why hasn’t the decentralized model taken off? I blame SaaS. The epoch of concentration in social media coincides with the shift of attention from free software to SaaS as a way of delivering software. SaaS makes it easier to form a business around software (while the companies can still contribute to free software). So developers have moved to SaaS-based businesses and built new DevOps development and deployment practices around that model.

To be sure, in the age of the web browser, accessing a SaaS service is easier than fussing with free software. To champion distributed architectures such as Jabber and Diaspora, free software developers will have to invest as much effort into the deployment of individual servers as SaaS developers have invested in their models. Business models don’t seem to support that investment. Perhaps a concern for privacy will.

January072014

Thinking About the Network as Filter (JP Rangaswami) — Constant re-openings of the same debate as people try and get a synchronous outcome out of an asynchronous tool without the agreements and conventions in place to do it. He says friends are your social filters. You no longer have to read every email. When you come back from vacation, whatever has passed in the stream unread can stay unread but most social tools are built as collectors, not as filters. Looking forward to the rest in his series.

Jacob Appelbaum’s CCC Talk — transcript of an excellent talk. One of the scariest parts about this is that for this system or these sets of systems to exist, we have been kept vulnerable. So it is the case that if the Chinese, if the Russians, if people here wish to build this system, there’s nothing that stops them. And in fact the NSA has in a literal sense retarded the process by which we would secure the internet because it establishes a hegemony of power, their power in secret to do these things.